Merge branch 'master' into dist

Author: kevana

app/app.js

@@ -25,6 +25,10 @@ angular.module('dockerui', [
     'volumes'])
     .config(['$routeProvider', '$httpProvider', function ($routeProvider, $httpProvider) {
         'use strict';
+
+        $httpProvider.defaults.xsrfCookieName = 'csrfToken';
+        $httpProvider.defaults.xsrfHeaderName = 'X-CSRF-Token';
+
         $routeProvider.when('/', {
             templateUrl: 'app/components/dashboard/dashboard.html',
             controller: 'DashboardController'
@@ -75,10 +79,14 @@ angular.module('dockerui', [
                     if (typeof(response.data) === 'string' && response.data.startsWith('Conflict.')) {
                         $.gritter.add({
                             title: 'Error',
-                            text: response.data,
+                            text: $('<div>').text(response.data).html(),
                             time: 10000
                         });
                     }
+                    var csrfToken = response.headers('X-Csrf-Token');
+                    if (csrfToken) {
+                        document.cookie = 'csrfToken=' + csrfToken;
+                    }
                     return response;
                 }
             };
@@ -88,4 +96,4 @@ angular.module('dockerui', [
     // You need to set this to the api endpoint without the port i.e. http://192.168.1.9
     .constant('DOCKER_ENDPOINT', 'dockerapi')
     .constant('DOCKER_PORT', '') // Docker port, leave as an empty string if no port is requred.  If you have a port, prefix it with a ':' i.e. :4243
-    .constant('UI_VERSION', 'v0.10.0-beta');
+    .constant('UI_VERSION', 'v0.10.1-beta');

app/shared/services.js

@@ -1,4 +1,4 @@
-angular.module('dockerui.services', ['ngResource'])
+angular.module('dockerui.services', ['ngResource', 'ngSanitize'])
     .factory('Container', ['$resource', 'Settings', function ContainerFactory($resource, Settings) {
         'use strict';
         // Resource for interacting with the docker containers
@@ -171,13 +171,13 @@ angular.module('dockerui.services', ['ngResource'])
             }
         };
     })
-    .factory('Messages', ['$rootScope', function MessagesFactory($rootScope) {
+    .factory('Messages', ['$rootScope', '$sanitize', function MessagesFactory($rootScope, $sanitize) {
         'use strict';
         return {
             send: function (title, text) {
                 $.gritter.add({
-                    title: title,
-                    text: text,
+                    title: $sanitize(title),
+                    text: $sanitize(text),
                     time: 2000,
                     before_open: function () {
                         if ($('.gritter-item-wrapper').length === 3) {
@@ -188,8 +188,8 @@ angular.module('dockerui.services', ['ngResource'])
             },
             error: function (title, text) {
                 $.gritter.add({
-                    title: title,
-                    text: text,
+                    title: $sanitize(title),
+                    text: $sanitize(text),
                     time: 10000,
                     before_open: function () {
                         if ($('.gritter-item-wrapper').length === 4) {

bower.json

@@ -1,6 +1,6 @@
 {
   "name": "dockerui",
-  "version": "0.10.0-beta",
+  "version": "0.10.1-beta",
   "homepage": "https://github.com/crosbymichael/dockerui",
   "authors": [
     "Michael Crosby <[email protected]>",
@@ -23,6 +23,7 @@
   "dependencies": {
     "Chart.js": "1.0.2",
     "angular": "1.3.15",
+    "angular-sanitize": "1.3.15",
     "angular-bootstrap": "0.12.0",
     "angular-mocks": "1.3.15",
     "angular-oboe": "*",

dist/angular.js

@@ -1 +1 @@
-9d2349d7d4fd3b7a22f87e2b54cd7fb2cfd6d537  dockerui
+965f7ce53139cf9e75e5b8a8206a4af5791eb8f8  dockerui

dist/dockerui

@@ -10,12 +10,18 @@ import (
 	"net/url"
 	"os"
 	"strings"
+	"github.com/gorilla/csrf"
+	"io/ioutil"
+	"fmt"
+	"github.com/gorilla/securecookie"
 )
 
 var (
 	endpoint = flag.String("e", "/var/run/docker.sock", "Dockerd endpoint")
 	addr     = flag.String("p", ":9000", "Address and port to serve dockerui")
 	assets   = flag.String("a", ".", "Path to the assets")
+	authKey  []byte
+	authKeyFile = "authKey.dat"
 )
 
 type UnixHandler struct {
@@ -85,9 +91,35 @@ func createHandler(dir string, e string) http.Handler {
 		h = createUnixHandler(e)
 	}
 
+	// Use existing csrf authKey if present or generate a new one.
+	dat, err := ioutil.ReadFile(authKeyFile)
+	if err != nil {
+		fmt.Println(err)
+		authKey = securecookie.GenerateRandomKey(32)
+		err := ioutil.WriteFile(authKeyFile, authKey, 0644)
+		if err != nil {
+			fmt.Println("unable to persist auth key", err)
+		}
+	} else {
+		authKey = dat
+	}
+
+	CSRF := csrf.Protect(
+		authKey,
+		csrf.HttpOnly(false),
+		csrf.Secure(false),
+	)
+
 	mux.Handle("/dockerapi/", http.StripPrefix("/dockerapi", h))
 	mux.Handle("/", fileHandler)
-	return mux
+	return CSRF(csrfWrapper(mux))
+}
+
+func csrfWrapper(h http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("X-CSRF-Token", csrf.Token(r))
+		h.ServeHTTP(w, r)
+	})
 }
 
 func main() {

dist/dockerui.js

@@ -153,6 +153,7 @@ module.exports = function (grunt) {
             },
             angular: {
                 src: ['bower_components/angular/angular.js',
+                    'bower_components/angular-sanitize/angular-sanitize.js',
                     'bower_components/angular-route/angular-route.js',
                     'bower_components/angular-resource/angular-resource.js',
                     'bower_components/angular-bootstrap/ui-bootstrap-tpls.js',